Amap Road Book

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Amap travel-roadbook generator, but it defaults to public publishing and can expose itinerary details and Amap credentials.

Review before installing. Only use this skill if you are comfortable with itinerary data being uploaded to a public server by default. Prefer local-only mode, use restricted or throwaway Amap keys, avoid including lodging or personal details, and rotate any Amap credentials that were already used in published outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script reads secrets from ~/.openclaw/openclaw.json in addition to environment variables, expanding its access to local credential material beyond the immediate input it needs. In a skill that can also publish generated artifacts remotely, this broader secret-reading behavior increases blast radius if the skill is misused or modified, and violates least-privilege expectations.

Description-Behavior Mismatch

High

Confidence: 100% confidence
Finding: The generated roadbook object includes amapKey and amapSecurityCode, then writes that object to JSON and embeds it into HTML. Because this skill is designed to publish artifacts to a public URL, it directly exposes live API credentials to anyone who can access the generated files, enabling key theft, quota abuse, and possible account compromise depending on provider restrictions.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The skill enables implicit invocation with no trigger constraints, so the platform may auto-select it in contexts the user did not clearly intend. In this skill, that is more sensitive than usual because it can generate and publish publicly accessible travel artifacts, potentially causing unintended data disclosure or external API usage without sufficiently explicit user consent.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: publishFiles() sends generated content to a hard-coded remote HTTP endpoint without an in-band warning, consent checkpoint, or clear disclosure at execution time. Users may unknowingly transmit itinerary data, embedded metadata, and potentially sensitive travel details over the network to an external service.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The script writes API credentials, including the Amap security code, into roadbook.json and the generated HTML without any warning. Since these files are intended for sharing and may be published publicly, writing secrets to disk creates immediate credential disclosure risk even before upload.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill description states that generated roadbook artifacts are published to a publicly accessible static directory by default. Travel itineraries commonly contain sensitive personal information such as dates, destinations, lodging areas, companions, and budget, so default public publication creates a clear confidentiality risk without requiring explicit informed consent.

Ssd 3

High

Confidence: 99% confidence
Finding: The workflow instructs the agent to publish user-provided travel data publicly unless the user explicitly refuses. This opt-out model is dangerous because users may not realize their itinerary and related personal details will be exposed on the public internet, making accidental disclosure likely.

Ssd 3

High

Confidence: 97% confidence
Finding: Requiring the response to include public URLs, server directory paths, and file paths increases the discoverability and exploitability of sensitive outputs. Exposing internal or remote filesystem locations also reveals infrastructure details that are unnecessary for normal users and can aid enumeration or abuse.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The document explicitly acknowledges that public links may contain sensitive itinerary information, yet still keeps publication as the default. This makes the risk more credible, because the author recognized the confidentiality issue but did not implement a safer consent model.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal